#######################################################################
Luigi Auriemma
Application: Winamp
http://www.winamp.com
Versions: <= 5.5.8.2985 (aka v5.581)
Platforms: Windows
Bugs: A] integer overflow in in_mkv
B] integer overflow in in_nsv
C] integer overflow in in_midi
D] buffer-overflow in in_mod
Exploitation: remote, versus server
Date: 13 Oct 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Winamp is one of the most diffused and appreciated media players for
Windows.
#######################################################################
=======
2) Bugs
=======
-----------------------------
A] integer overflow in in_mkv
-----------------------------
The in_mkv plugin uses a particular function (address 077078c0) for
reading text strings from the Matroska containers.
The operations performed are the reading of the ebml numeric value
(64bit), the allocation of memory corresponding to that value (32bit)
plus 1 and the subsequent reading of the data from the file leading to
possible code execution:
buff = malloc(size + 1);
if(buff) fread(buff, 1, size, fd);
-----------------------------
B] integer overflow in in_nsv
-----------------------------
The in_nsv plugin is affected by an heap-overflow caused by the
function (address 077ca422) that first verifies the size of the
metadata string contained in the file adding 1 to it and then copies
0x1fffffff bytes in a heap buffer leading to possible code execution
(077C8577 CALL DWORD PTR DS:[EAX+8]):
memcpy(heap_buffer, attacker_data, size >> 3);
------------------------------
C] integer overflow in in_midi
------------------------------
The in_midi plugin is affected by an heap overflow during the handling
of the hmp files (a format used in some old DOS games) where a
variable-length 32bit value is used for the copying of data with
memcpy() from the attacker's data to a heap buffer which has not been
reallocated for matching the needed size due to an integer overflow.
Doesn't seem possible to control the code execution.
----------------------------
D] buffer-overflow in in_mod
----------------------------
The in_mod plugin is affected by a stack overflow which happens during
the handling of a malformed MTM file but it's required that the user
manually clicks on the player for visualizing the detailed informations
of the track.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/winamp_1.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################